Intellectual property strategies for security developers

The cybersecurity industry is experiencing unprecedented growth that is reflected in increased numbers of U.S. patents for information security inventions.

At the same time, the federal government and private industry are working toward further standardization. A proactive approach to intellectual property strategy can help create new opportunities and reduce the risk of being on the wrong end of a patent enforcement action.

Some of the most successful cybersecurity companies are developing innovative proprietary technologies, and many of these technologies are being patented. In 2010, the U.S. Patent and Trademark Office (PTO) granted 4,758 new U.S. patents on applications classified as relating to information security, nearly doubling the 2,406 number in 2006.

Information Security Patents Granted

2006

2,406

2007

2,589

2008

2,797

2009

3,517

2010

4,758

In 2008, the most recent full year for which data is publicly available, 4,387 new patent applications were filed for inventions classified as relating to information security. Because of the backlog at the PTO, many of these applications are still pending.

A U.S. patent gives an inventor the right to stop another from practicing the patented invention. That right matures only when the patent is issued by the PTO.

The patent pendency statistics for the PTO's Technology Center 2400 — the unit that examines most of the information security patent applications — indicate that in fiscal year 2010, it took an average of 27 1/2 months after filing of an application to make an initial patentability determination.

After that initial determination, the PTO took, on average, just over 15 months to issue a patent on that application. An accelerated examination procedure that can skip most of the backlog is available, but even this is likely to take about a year.

Given the amount of time required to obtain a patent, applications on cybersecurity innovations should be prepared and filed as early as potential commercial value is identified, and special consideration should be given to the accelerated examination procedure.

Working with standardization

The White House has been promoting greater standardization in cybersecurity since its Cyberspace Policy Review in 2009, and several bills have been introduced in Congress that would require compliance with new cybersecurity standards.

Numerous bills were pending before the 111th Congress adjourned, and many of those are likely to be reintroduced in some form in this session.

The establishment of new standards creates new opportunities for security companies.

The combination of legislative initiatives and the rate of patent filings increase the chances that key technologies required for implementing the new standards will be patented.

The inventors of the essential security technologies that are incorporated into the next set of cybersecurity standards may be well-positioned. To get to there, the first step for a developer is to identify its key proprietary technologies and to apply for patents that are broad enough to cover techniques required for solutions in a way that minimizes the possibility for easy "design-arounds."

Technology companies would be well-served to focus on the big picture and not just specific implementations.

Monitoring the patent landscape

With the increasing number of new patents on inventions and the increasing revenues and valuations of security companies, the risk of being sued for infringement is increasing.

Entities that own patents, but do not actually practice the technology themselves, known as "nonpracticing entities," are starting to target the security industry. In some cases, these entities have developed the patented technology. In other cases, they have purchased the patents.

VirnetX, a company that holds security patents, sued five companies for infringement in 2010 and another two in January 2011, alleging infringement of two patents covering a network protocol for secure communications.

Intellectual Ventures, a company that claims to have purchased more than 30,000 patents and applications in a broad range of technologies, filed a patent infringement suit against four of the largest companies in the software security industry in December.

Also in December, Secure Axcess sued more than 20 major banks, alleging they infringed patents purporting to cover a secure login process that displays a predetermined image to a user before entering a password.

A company may find itself unexpectedly accused of patent infringement by either a well-known direct competitor or a previously unknown company.

Some of these lawsuits are filed after the breakdown of lengthy negotiations or several years after the asserted patents were granted. In other cases, the lawsuits are filed soon after the patent is granted or with no advance warning.

It is not possible to eliminate all risk of being accused of patent infringement, but some measures can be taken to reduce or better assess that risk.

As an initial matter, a company should try to identify its competitors' granted patents and pending patent applications. To better detect the activities of nonpracticing entities and others besides known competitors, companies can monitor keywords in patent applications as they are published and in patents as they are granted.

Once patents or pending patent applications are identified, they can be analyzed, and pending applications can be monitored to determine whether the company's products and services might be implicated by the patents.

If the patents relate to products or activities in a competitive market, it is likely that their owners are already assessing the strategic value of enforcement action.

Knowing about these risks early enables a company to formulate a proactive, rather than a reactive, intellectual property strategy.

James Denaro and Mark Ungerman are members of the Cybersecurity Practice at Morrison & Foerster.